4 ways hero culture is killing your security program's effectiveness

Who doesn't love a good hero? In the movies, when the hero swoops in and averts disaster, they receive copious accolades, everyone's satisfied, and the credits roll. In the sequels, new disaster scenarios that no one planned for unfold, but the hero is as fresh and ready as ever to repeat the cycle, singlehandedly taking on the challenge du jour.

In cybersecurity, however, the story is more nuanced — and less cheery. In the trenches of cybersecurity, the hero is often burned out after running around fixing other people's problems. And that leads to them making more mistakes than saves, because they've run out of superhero strength to do anything well anymore. Every time they do fix something, the accolades are few, but the demands increase — while the resources decrease.

Does this sound familiar — and maybe even strike a nerve? While security hero culture is born from good intentions, it is doing more harm than good to companies — and to the health and well-being of the security heroes themselves. Top experts believe that if organizations are going to improve their security posture, they must acknowledge the problems with hero culture and launch a multifaceted effort to overcome it.

Here's why cybersecurity hero culture is a problem — and four examples of how companies and the industry can avoid its negative effects and develop more resilient security operations.

Key takeaways: The State of Software Supply Chain Security 2024Get the full reportSee the Webinar

The toxic nature of cybersecurity hero culture

Ali Khan, field CISO at ReversingLabs, suggests a quick gut check: Ask, "Does my security organization put personalities over process?" If the answer is yes, that's a red flag that your organization could be in in the throes of hero culture.

This happens when you rely more on a person than you do on a good, solid process, where you trust the process and everyone in the team to act according to it. Here's a very simple example: Each time a midsize organization has some kind of cyber-incident, are people in the business most likely to email a specific person about it, or do they email security@organization.com?

Ali Khan

Security leaders have been exploring the toxicity of cybersecurity hero culture for a while, spotlighting that it could be hurting organizations' cybersecurity outcomes. Some recent examples:

• Meta's Ryan Nakamoto: "The Detriments of Hero Culture"
• Google's Anton Chuvakin: "How to Banish Heroes from Your SOC"
• Security veteran George Sandford: "Don't Get Tangled Up in Your Cape: Hero Culture As a Negative Force in Cyber"

One of the most comprehensive explorations on the topic to date was a recent in-depth examination of where security hero culture comes from, why it's hurting security professionals and security performance, and why management is disincentivized to stop it.

Application security (AppSec) veteran Kymberlee Price, founder and CEO of Zatik, who wrote the piece with Ross Haleliuk, head of product for LimaCharlie, said in an interview about the piece that the problem is clear: "It feels good to be a hero." However, hero culture leads to a counterproductive outcome.

[If] you take it to the extreme, it can be incredibly detrimental for both the people and the companies. And that's the conversation we're trying to start, which is, How do we not only make sure that the security workers are healthy and sustainable, but in a way that's better for the companies?

Kymberlee Price

Haleliuk and Price's takedown of hero culture gauges the pain being felt in organization's today as cyberattacks ramp up generally — and as software supply chain security becomes front and center for organizations. Kelly Shortridge, a longtime product security advocate and senior principal engineer in the office of the CTO at Fastly, recently took on a related issue with software engineering, in a post titled "Cybersecurity Isn't Special." In it, she rails against "power-tripping" cybersecurity programs and professionals that treat security concerns as separate from the whole — to the detriment of the outcome.

[Security] can’t pretend like security failure is so distinct in importance and impact that it requires completely separate workflows, stacks, reviews, tooling, design, and basically everything else. We should care about cybersecurity but we should not silo it or treat its concerns as separate because it actually worsens the outcomes we purportedly care about long-term.

Kelly Shortridge

4 problems stemming from hero culture

When you boil down the issues that all these thought leaders bring up about cybersecurity hero culture, certain themes start to emerge across all those talking points. Foremost among them is that when cybersecurity hero mentality prevails, the following consequences ripple out from that culture:

1. The risk prioritization anti-pattern

One of the biggest dangers of cybersecurity hero culture is the underlying drumbeat of perfectionism that drives those in its thrall.

We see this happen in a lot of places where it's like you feel like, as a security leader, you have to be perfect and you have to save every person from every crime. We simply can't do that.

Kymberlee Price

Succumbing to the perfectionist mindset puts security teams into the anti-pattern of sound risk management. Whereas risk management is all about prioritizing risks because there's no such thing as a risk-free environment, hero culture tends to get caught up in the snipe hunt of risk elimination.

This is where the storyline links up with the security exceptionalism problem highlighted by Fastly's Shortridge in her recent post. Security practitioners become gatekeepers when they start to believe they can eliminate every threat. And that's exactly when they're most likely elevate cyber-risks above all the other risks the business must consider: business risks, speed to market risks, software resiliency risks, etc.

Reliability failures are arguably both more frequent and more damaging when they occur; developer productivity failures can mean the difference between successful market differentiation and losing market share.

Kelly Shortridge

2. Burnout begets burnout

Security burnout is one of the biggest mental health and productivity issues in the industry today — and the experts believe that hero culture is a huge contributor to the problem. The harder security heroes are worked, the less headspace they have to come up with creative ways to address root causes to problems and help the business build security by design.

If you're grabbing all the dropping balls and throwing them back up in the air, then you don't have time to take a step back and think creatively about secure design, or 'How do we partner with the architects to develop this more securely?' because you're so busy trying to patch up the last thing that got shipped. If we continue this hero culture, the burnout cycle continues.

Kymberlee Price

3. Cybersecurity's free-rider problem in reverse

The burnout cycle is also self-perpetuating because the business managing the heroes expects — implicitly and explicitly — that these passionate workers will always put in the extra hours to get things done. Which means they can get away with understaffing the security teams. It's like the free-rider problem in reverse. "I think being passionate about your profession is great. Trying to do your very best and having that drive to overdeliver. Having that drive to spend your free time to learn more about the things you're passionate about is great," said LimaCharlie's Haleliuk.

The problem becomes when companies see it [but are] incentivized to exploit that passion, to double down on that passion, and to underinvest in their security operations because they know that there are people on their teams who have the desire to do the best they can, and they know that they'll step in and cover up for the gaps and goals the organization just lets persist by design.

Ross Haleliuk

4. Lone rangers aren't team players

The most fundamental problem with hero culture is that it kills so many chances for effective teamwork. Heroes tend to work in isolation. Even when a security leader can put together a team of heroes, they're still working in isolation of the rest of the business, which means you lose the chance for cross-disciplinary excellence.

As long as companies continue to believe that they are making the best business decisions by doing what they're doing today, they won't change, ReversingLabs' Khan said.

I've worked with a lot of people who are really good at what they do and are specialists, and so that provides a really good advantage, but it doesn't really help in a team culture environment because cybersecurity is a team sport and software development is very much a team sport. It's really hard for engineers, pen testers, security orchestrators, playbook builders, architects, and overall solution managers to work with a superhero. Someone with that mentality can put a damper on the team because their teammates sometimes step aside and take less responsibility.

Ali Khan

Process over personalities

Hero culture is hurting both AppSec and SecOps in a lot of ways. So how does the industry fix this problem? Price and Haleliuk argue that many practitioners are addicted to the habit of heroic overwork — and the intermittent dopamine rewards they get when they do manage to save the day.

The employees who say, 'I'm going to break out of the security hero model,' they have to detox just like somebody trying to give up a gambling addiction. That habit of constantly thinking about work takes time to break. And that won't break without cultural support at work, without a boss being like, 'Hey, why are you online on the weekends? I don't expect you to be online on the weekends. What'd you do this weekend that was fun?

Kymberlee Price

When that kind of support is lacking, setting boundaries against managerial expectations of heroism can threaten your career track. Price points out that people who read her and Haleliuk's piece and decide to set boundaries at work and put in no more than 45 to 50 hours per week could end up losing their job if their employer isn't on board with that.

That is why Price thinks the industry needs to find ways to collect data and research that shows how burnout affects security outcomes and that measure what realistic work scoping looks like in a security operations center (SOC) and other parts of the security team.

Haleliuk noted that, to truly move business leaders, studies would have to demonstrate how poor outcomes detrimentally affect the bottom line, but he isn't optimistic that the industry will be able to find that.

As long as companies continue to believe that they are making the best business decisions by doing what they're doing today, I don't anticipate they will be incentivized to change.

Ross Haleliuk

Khan said individuals and security managers can make a dent at their own organizations if they start recognizing the power of processes over personalities. This goes for SOC incident response as much as for creating less-risky software development patterns.

What we really need is good, solid processes and playbooks and crisis communication plans — and we've really got to follow those plans.

Ali Khan